Adobe Reader/Acrobat Security Update

Adobe has released a critical security update for the Adobe Reader and Acrobat products.  If you can view PDF files, chances are high you may be vulnerable.

To update your computer, check to see if there is a red Adobe icon down in the system tray by your clock.  It may already be trying to tell you to update! Double-click on the icon if it is there, and the following screen will appear:

Simply click “Download” or “Update”  and follow the prompts to keep your computer up-to-date.

If there is no red Adobe icon in your system tray, simply launch Adobe Reader or Acrobat, click on the “Help” menu, and select “Check for Updates…”.

When you are done with the update, you will be required to restart your computer.  Timing this with a lunch break (or any kind of break for that matter) is a good way to apply this update with the minimum amount of inconvenience.

A bug was identified where opening a specially crafted PDF file could crash your computer, or run programs without your knowledge.  Technical details regarding the vulnerability can be found at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0611

Averting a Disaster

I have been wrestling with an issue with our Internet firewall recently, and the culmination of troubleshooting efforts boiled down to a simple fact: a module inside the firewall would have to be rebooted.  This ends up being a big deal because while our firewall is rebooting, network traffic cannot pass thru it, effectively isolating WSU until the firewall properly initializes again.

While this is a minor annoyance when we have to do this at home with our Cable/DSL Modems, it has the potential of being something very nasty at an institution as large as Wayne State University.  That is all time that off-site students cannot access their Blackboard sessions, faculty cannot collaborate with other Universities, and prospective students cannot browse our webpages looking for that perfect program to enroll in.

Thankfully, in working with the Network Engineering group, the Information Security Office has multiple redundant systems setup for exactly this purpose.  With a few keystrokes, the Internet traffic was instantly rerouted thru our secondary Internet firewall, picking up the 161,000 network connections with ease.  Now that our troublesome firewall was “out of the loop”, we were able to run the diagnostic commands to restart certain modules without causing a moment of downtime.  This, in turn, helped resolve several production issues that have been growing over the past few weeks.

Exercises like this should be a reminder on how important it is to build redundancy in the systems that we create.  While the above was a controlled event, it as just as important to be ready in the case of an unexpected failure, such as a power supply failing or a backhoe digging up your fiber connection.  When dealing with large enterprise systems (including our Internet backbone), effective redundancy, Disaster Recovery, and Business Continuity Planning must be built into your methods and practices.  Without these things, it will be impossible to deliver the quality of services that our consumers live to expect!

 

Undergarments and Passwords

Passwords are like underwear:

  • Change them often;
  • Don’t share them with others;
  • Leaving them out in the open is something kids do;
  • It can be really hard to part ways with one you are used to.

Trust me, I feel the same pain and frustration when it comes to keeping track of all the passwords that I use for my work and personal lives.  Everyone has accounts for their desktop computers, for the servers they connect to, for the departmental applications they run, for the banks they do business with, for the utility companies for online billpay, and for the plethora of other online resources.  Keeping a handle on all of these electronic identities takes more time than it should, but it beats the alternative of having your identity stolen.

Changing your passwords once or twice a year is an excellent practice to get in to.  Consider doing it at the beginning and middle of each year – changing all your passwords is a New Year’s Resolution you can keep, and you can consider it your patriotic duty around the Fourth of July.  Why change your passwords with such frequency?  Two good reasons:

  1. It keeps reminding you about all of your electronic accounts so nothing slips thru the cracks, and
  2. In the event one of your accounts is compromised, it limits the amount of time bad things can happen.

When creating new passwords, an easy way to keep a handle on all of them is to create a simple password scheme that only you know.  A password scheme can consist of a base password combined with a little bit of information about the system or site you are logging in to.  For example:

Base Password: SkydivingMakesMe$ick

System Append Final Password
Desktop Login Windows SkydivingMakesMe$ickWindows
Work Login WSU SkydivingMakesMe$ickWSU
Banking Website money SkydivingMakesMe$ickmoney
Electric Utility Website Power SkydivingMakesMe$ickPower
Facebook Login FB SkydivingMakesMe$ickFB

 

By using this method, you create a simple phrase that you can easily remember.  This phrase is just a few words, and should contain a capital letter, a special character, or a number in it somewhere for added security.  Then you can just prepend or append a tiny word in relation to what you are accessing.  Congratulations!  In five minutes you have just created one of the most secure passwords and schemes known to man. Also, by doing this, you can abolish the need for writing down your passwords – another common way to get yourself into trouble.  It really is that simple!

Not sharing your passwords or account names would be a really good idea at this point.  You worked hard enough to create this amazing, easy way to remember all of this information – the last thing you want to do is make it all obsolete!  Do not disclose your username to any non-affiliated party, and NEVER disclose your password for ANY reason.  The moment you tell someone your password, your electronic life is now in their hands.  If an organization says that they need to know what your password is, discontinue using them immediately.  There are plenty of reputable organizations who will be more than willing to deal with you without violating your security.

How Vital is Network Security?

The Information Security Office(ISO) is responsible for the implementation, maintenance and troubleshooting of numerous firewalls located throughout campus.  These firewalls are dedicated hardware devices that sit on the network between key areas acting as “gatekeepers” – they can be programmed to a very fine detail as to which kinds of traffic or activity should be permitted or denied.

If a new server or network service is being implemented here at Wayne State, we may have to alter the configuration on one or more of our firewalls in order for it to work properly.  In order to do this, the Firewall Rule Change Request web-based form can be submitted.  Using this form allows us to have a single, standardized, and audit-able way to perform configuration changes on our firewalls.

We understand that the open nature of education clashes with the closed nature of security.  While to some it may seem inconvenient to involve an additional party (the Information Security Office) whenever you would like to make a change to a server or service, maintaining a proper level of IT security is paramount to ensuring that we have the minimum amount of risk or chance of a data breach or compromise.  The last thing that I ever want to see is a headline in the Detroit Free Press that a hacker compromised any of our student or financial data.

For a 24 hour period spanning between April 5th and 6th, our security devices provided the following protection:

  • 61.6 million blocked connections from over 1 million Internet hosts headed to WSU non-server networks;
  • 5 million successful connections to WSU servers from the Internet;
  • Over 2000 prevented specific attacks from the Internet to WSU non-server networks;
  • Over 800 prevented specific attacks from the Internet to WSU servers.

It is always enlightening to see the actual, proven benefits of the diligence and hard work when everybody comes together!